Unable to generate Intel log

redbaron · May 21, 2021, 7:23am

Hi,

I have been reading the Zeek Intel docs (https://docs.zeek.org/en/master/frameworks/intel.html) and trying to get it to work on my Zeek (4.0.0 on CentOS-7).

I have correctly formatted Intel files and a custom script to load them

redef Intel::read_files += {
“/usr/share/feed/ip.txt”,
“/usr/share/feed/domain.txt”,
“/usr/share/feed/email.txt”,
};
@load frameworks/intel/seen
@load frameworks/intel/do_notice

On trying to do a DNS query for a known bad domain, nothing gets logged in intel.log or notice.log

However, I do get the following entry in reporter.log

xxxxxx.xxx Reporter::WARNING failed to convert remote event ‘Intel::match_remote’ arg #0, got vector, expected record (empty)

If anybody has any pointers on how to proceed, I will be grateful.

Thanks,
Dheeraj

ericooi · May 21, 2021, 1:12pm

This bug is fixed in 4.0.1.

redbaron · May 21, 2021, 1:49pm

Hi,

Thanks for pointing it out. I missed the entry in release notes & somehow my google skills failed to find the relevant github bug. For record it is https://github.com/zeek/zeek/issues/1506 .I’ll update Zeek to fix this.

Thanks,
Dheeraj

Topic		Replies	Views
Threat Intel Framework not generating intel.log Zeek	2	110	May 6, 2022
Help with intel framework Zeek	8	101	May 6, 2022
Help with intel framework Zeek	3	96	May 6, 2022
Intel Framework Issues Zeek	15	217	May 6, 2022
Intel framework not working as expected Zeek	1	86	May 6, 2022

Unable to generate Intel log

Related topics